Code red? only 1 in 10 managers trust their applications’ security

A new report released by Quotium Technologies reveals a widespread concern about security flaws. Of the security managers interviewed, half believe their applications vulnerable to attack. Other relevant data include:
* 80% believe off-the-shelf applications are not secure
* 11% trust their applications’ security level
* Approximately 50% do not know how often hackers targeted their software currently faced by their organization.

How to find the most updated list of network vulnerabilities and exposures

There has been a lot of discussion recently about which is the most up to date and definitive list of network vulnerabilities.  We’ve decided to list the industry standard network vulnerability lists.  Please don’t consider the order of the list:

National Vulnerability Database Version 2.2: (http://nvd.nist.gov/):  The U .S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

 

The Common Vulnerabilities and Exposures (http://www.cve.mitre.org/):  Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

 

SANS (Sys Admin, Audit, Network, Security) Top 20 (www.sans.org/top20):

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.

United States Computer Emergency Readiness Team (CERT) Vulnerability Notes Database (www.kb.cert.org/vuls/):

The Vulnerability Notes Database provides timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.

Related articles

• CVE-2013-4883 (epolicy_orchestrator, epolicy_orchestrator_agent) (web.nvd.nist.gov)
• Cve-2013-4674 (web.nvd.nist.gov)

Microsoft’s new bounty program to find vulnerabilities and exploiting techniques

Microsoft has just announced that it will make cash payments in exchange for reporting certain vulnerabilities and exploitation techniques. The company will pay up to $100,000 USD for what it defines as “truly novel” exploitation techniques against protections built in its latest operation system (Mitigation Bypass Bounty).

In addition, Microsoft will pay up to $50,000 USD for defensive ideas that accompany the Mitigation Bypass Bounty.

Finally, Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

Pay-per-performance bounty programs have been around for a while, but it’s refreshing to see that Microsoft is putting some serious resources behind this initiative. This is definitely a smart move by Microsoft, especially when you consider the cost of just one engineer living in Redmond!

For more information please visit: http://www.microsoft.com/security/msrc/report/bountyprograms.aspx#